[cimtiaz]

Good Day,

I have an ASA5510 running in our network and connected to a ROUTER from outside interface with real public ip x.x.x.x/30 , with DMZ interface we have a FTP server with real public ip x.x.x.x/29

There is no NAT/PAT enabled, as x.x.x.x/29 is a Internet-routable public ip. I have used an extended access list as follows:

access-list INBOUND permit tcp any host x.x.x.x range 20 21

All is working fine no one from outside (internet) can access any other port on FTP server except 20 or 21. But the server maintenance operator use to run portable messenger and browsers on server, which is vulnerable.

As a best practice, I wish to block all internet access on the FTP server, so no one can use internet on FTP server but our clients can connect to FTP server from outside (internet) to upload their data.

I will be thankful for this guidance (consider me as an intermediate level)

Thanks,
Imtiaz.

[auglan]

Is the ftp server using active or passive ftp?

I would just creat an ACL permitting tcp port 20 and 21 inbound on the DMZ interface


access-list DMZ_TO_OUTSIDE permit tcp host x.x.x.x eq ftp any
access-list DMZ_TO_OUTSIDE permit tcp host x.x.x.x eq ftp-data any


access-group DMZ_TO_OUTSIDE in interface dmz

This will allow only traffic sourced from tcp port 20 and 21 from the ftp server and drop everything else. If you need to get antivirus updates, need dns resolution then you need to permit that as well.

You can get more granular with the "any" and just use your client's public ip's as well.